Skip to content

Commit

Permalink
Merge pull request #365 from uselagoon/log4j-mitigation
Browse files Browse the repository at this point in the history
  • Loading branch information
tobybellwood authored Dec 15, 2021
2 parents b09057e + 9d6cb96 commit 2f7eb8b
Show file tree
Hide file tree
Showing 7 changed files with 40 additions and 0 deletions.
7 changes: 7 additions & 0 deletions images/elasticsearch/6.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,13 @@ ENV TMPDIR=/tmp \
# When Bash is invoked as non-interactive (like `bash -c command`) it sources a file that is given in `BASH_ENV`
BASH_ENV=/home/.bashrc

RUN yum -y install zip && yum -y clean all && rm -rf /var/cache

# Mitigation for CVE-2021-45046 and CVE-2021-44228 (already removed from first jar file)
# RUN zip -q -d /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
RUN zip -q -d /usr/share/elasticsearch/bin/elasticsearch-sql-cli-6.8.21.jar org/apache/logging/log4j/core/lookup/JndiLookup.class


RUN sed -i 's/discovery.zen.minimum_master_nodes: 1//' config/elasticsearch.yml

RUN echo $'xpack.security.enabled: false\n\
Expand Down
6 changes: 6 additions & 0 deletions images/elasticsearch/7.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,12 @@ ENV TMPDIR=/tmp \
# When Bash is invoked as non-interactive (like `bash -c command`) it sources a file that is given in `BASH_ENV`
BASH_ENV=/home/.bashrc

RUN yum -y install zip && yum -y clean all && rm -rf /var/cache

# Mitigation for CVE-2021-45046 and CVE-2021-44228
RUN zip -q -d /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class \
&& zip -q -d /usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.8.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

RUN echo $'\n\
node.name: "${HOSTNAME}"\n\
node.master: "${NODE_MASTER}"\n\
Expand Down
6 changes: 6 additions & 0 deletions images/logstash/6.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,12 @@ ENV TMPDIR=/tmp \
RUN fix-permissions /usr/share/logstash/data \
&& fix-permissions /usr/share/logstash/config

RUN yum -y install zip && yum -y clean all && rm -rf /var/cache

# Mitigation for CVE-2021-45046 and CVE-2021-44228
RUN zip -q -d /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.15.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class \
&& zip -q -d /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-5.2.3-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/5.2.3/logstash-input-tcp-5.2.3.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

ENV LS_JAVA_OPTS "-Xms400m -Xmx400m -Dlog4j2.formatMsgNoLookups=true"

ENTRYPOINT ["/sbin/tini", "--", "/lagoon/entrypoints.bash", "/usr/local/bin/docker-entrypoint"]
6 changes: 6 additions & 0 deletions images/logstash/7.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,12 @@ ENV TMPDIR=/tmp \
RUN fix-permissions /usr/share/logstash/data \
&& fix-permissions /usr/share/logstash/config

RUN yum -y install zip && yum -y clean all && rm -rf /var/cache

# Mitigation for CVE-2021-45046 and CVE-2021-44228
RUN zip -q -d /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.12.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class \
&& zip -q -d /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.6-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.6/logstash-input-tcp-6.0.6.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

ENV LS_JAVA_OPTS "-Xms400m -Xmx400m -Dlog4j2.formatMsgNoLookups=true"

ENTRYPOINT ["/sbin/tini", "--", "/lagoon/entrypoints.bash", "/usr/local/bin/docker-entrypoint"]
5 changes: 5 additions & 0 deletions images/solr/7.7.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,11 @@ RUN fix-permissions /var/solr \
&& fix-permissions /opt/solr/server/logs \
&& fix-permissions /opt/solr/server/solr

RUN apk add --no-cache zip

# Mitigation for CVE-2021-45046 and CVE-2021-44228
RUN zip -q -d /opt/solr/server/lib/ext/log4j-core-2.11.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class \
&& zip -q -d /opt/solr/contrib/prometheus-exporter/lib/log4j-core-2.11.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

# solr really doesn't like to be run as root, so we define the default user agin
USER solr
Expand Down
5 changes: 5 additions & 0 deletions images/solr/7.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,13 @@ USER root
RUN apt-get -y update && apt-get -y install \
busybox \
curl \
zip \
&& rm -rf /var/lib/apt/lists/*

# Mitigation for CVE-2021-45046 and CVE-2021-44228
RUN zip -q -d /opt/solr/server/lib/ext/log4j-core-2.11.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class \
&& zip -q -d /opt/solr/contrib/prometheus-exporter/lib/log4j-core-2.11.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

RUN architecture=$(case $(uname -m) in x86_64 | amd64) echo "amd64" ;; aarch64 | arm64 | armv8) echo "arm64" ;; *) echo "amd64" ;; esac) \
&& curl -sL https://github.com/krallin/tini/releases/download/v0.19.0/tini-${architecture} -o /sbin/tini && chmod a+x /sbin/tini

Expand Down
5 changes: 5 additions & 0 deletions images/solr/8.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,13 @@ USER root
RUN apt-get -y update && apt-get -y install \
busybox \
curl \
zip \
&& rm -rf /var/lib/apt/lists/*

# Mitigation for CVE-2021-45046 and CVE-2021-44228
RUN zip -q -d /opt/solr-8.10.1/server/lib/ext/log4j-core-2.14.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class \
&& zip -q -d /opt/solr-8.10.1/contrib/prometheus-exporter/lib/log4j-core-2.14.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

RUN architecture=$(case $(uname -m) in x86_64 | amd64) echo "amd64" ;; aarch64 | arm64 | armv8) echo "arm64" ;; *) echo "amd64" ;; esac) \
&& curl -sL https://github.com/krallin/tini/releases/download/v0.19.0/tini-${architecture} -o /sbin/tini && chmod a+x /sbin/tini

Expand Down

0 comments on commit 2f7eb8b

Please sign in to comment.